VMware would like to thank Zhang Haitao for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4925 to this issue.

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product

Product Version

Running on

Severity

Replace with/ Apply Patch

Mitigation/ Workaround

VMware Product ESXi

Product Version 6.5

Running on ESXi

Severity Moderate

Replace with/ Apply Patch ESXi650-201707101-SG

Mitigation/ Workaround None

VMware Product ESXi

Product Version 6.0

Running on ESXi

Severity Moderate

Replace with/ Apply Patch ESXi600-201706101-SG

Mitigation/ Workaround None

VMware Product ESXi

Product Version 5.5

Running on ESXi

Severity Moderate

Replace with/ Apply Patch ESXi550-201709101-SG

Mitigation/ Workaround None

VMware Product Workstation

Product Version 12.x

Running on Any

Severity Moderate

Replace with/ Apply Patch 12.5.3

Mitigation/ Workaround None

VMware Product Fusion

Product Version 8.x

Running on OSX

Severity Moderate

Replace with/ Apply Patch 8.5.4

Mitigation/ Workaround None

c. Stored XSS in H5 Client

vCenter Server H5 Client contains a vulnerability that may allow for stored cross-site scripting (XSS). An attacker with VC user privileges can inject malicious java-scripts which will get executed when other VC users access the page.

VMware would like to thank Thomas Ornetzeder for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4926 to this issue.

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product

Product Version

Running on

Severity

Replace with/ Apply Patch

Mitigation/ Workaround

VMware Product vCenter Server

Product Version 6.5

Running on Any

Severity Moderate

Replace with/ Apply Patch 6.5 U1

Mitigation/ Workaround None

VMware Product vCenter Server

Product Version 6.0

Running on Any

Severity N/A

Replace with/ Apply Patch Not affected

Mitigation/ Workaround N/A

VMware Product vCenter Server

Product Version 5.5

Running on Any

Severity N/A

Replace with/ Apply Patch Not affected

Mitigation/ Workaround N/A

4. Solution

Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.